Fortinet black logo

SD-WAN Orchestrator 7.0.0.r1 Administration Guide

Regions and links

7.0.0
Copy Link
Copy Doc ID 11338d8b-a934-11eb-b70b-00505692583a:374602
Download PDF

Regions and links

Each region can have a primary hub, secondary hub, and multiple edge devices. The secondary hub is optional and provides redundancy.

SD-WAN Orchestrator MEA automatically creates links between devices based on settings in the assigned profiles.

Links between hub devices

SD-WAN Orchestrator MEA automatically builds full-mesh overlay links between all primary and secondary hub devices. Primary hubs have higher priority than secondary hubs.

When a hub receives incoming traffic destined to the edge subnet of a local region, but links between hub and edge devices are down, SD-WAN Orchestrator MEA uses the links to forward traffic to another hub.

If LAN port communication is also configured between hubs in a region, the LAN port is also used.

Links between hub and edge devices in the same region

In the same region, the connection between the hub devices (primary and secondary hubs) and edge devices depends on the VPN mode. The VPN mode is configured in profiles, and a profile is assigned to each primary hub, secondary hub, and edge device when you add it to SD-WAN Orchestrator MEA. The following VPN modes are available:

  • Site-to-site VPN
  • Dialup VPN

The following table summarizes how the VPN modes affect the connection between hub and edge devices:

VPN Mode

Description

Site-to-site VPN

Overlay links are full-mesh between the hub devices and edge devices in the same region.

Edge devices from the same region communicate with each other by forwarding packets through their region's hubs.

Dialup VPN

Overlay links are one-to-one between hub devices and edge devices in the same region. In other words, one WAN port on each edge device establishes an IPsec tunnel only with one WAN port on hub devices.

In DialUP VPN mode, ADVPN is supported to create shortcut tunnels between edge devices.

On hub devices, select one of the following options:

  • NONE - ADVPN is disabled. Edge devices from the same region will communicate with each other by forwarding packets through their region's hub.
  • INSIDE_REGION - Shortcut tunnels are triggered by traffic and established only inside a region.

On edge devices, toggle ADVPN on to enable ADVPN. Toggle off to disable ADVPN.

When a region contains both a primary hub and secondary hub, edge devices establish overlay links with both hubs in the region. Overlay links between edge devices and the primary hub have higher priority than overlay links between edge devices and secondary hubs.

When overlay links between edge devices and the primary hub are down, links between the edge device and the secondary hub are used to forward traffic.

When incoming traffic destined to an edge device subnet of the local region is received by one hub, but links between the hub and edge devices are down, the hub uses the overlay links to forward traffic to another hub.

If LAN port communication is configured between primary and secondary hubs in a region, traffic is forwarded by using the LAN port communication.

Edge device communication between regions

When site-to-site VPN mode is enabled, edge devices in one region can communicate with devices in another region by using the following method:

  1. Edge devices send packets to their region's hub.
  2. The hub forwards the packet to the hub of the destination region.
  3. The hub from the destination region forwards the packet to the final destination.

Regions and links

Each region can have a primary hub, secondary hub, and multiple edge devices. The secondary hub is optional and provides redundancy.

SD-WAN Orchestrator MEA automatically creates links between devices based on settings in the assigned profiles.

Links between hub devices

SD-WAN Orchestrator MEA automatically builds full-mesh overlay links between all primary and secondary hub devices. Primary hubs have higher priority than secondary hubs.

When a hub receives incoming traffic destined to the edge subnet of a local region, but links between hub and edge devices are down, SD-WAN Orchestrator MEA uses the links to forward traffic to another hub.

If LAN port communication is also configured between hubs in a region, the LAN port is also used.

Links between hub and edge devices in the same region

In the same region, the connection between the hub devices (primary and secondary hubs) and edge devices depends on the VPN mode. The VPN mode is configured in profiles, and a profile is assigned to each primary hub, secondary hub, and edge device when you add it to SD-WAN Orchestrator MEA. The following VPN modes are available:

  • Site-to-site VPN
  • Dialup VPN

The following table summarizes how the VPN modes affect the connection between hub and edge devices:

VPN Mode

Description

Site-to-site VPN

Overlay links are full-mesh between the hub devices and edge devices in the same region.

Edge devices from the same region communicate with each other by forwarding packets through their region's hubs.

Dialup VPN

Overlay links are one-to-one between hub devices and edge devices in the same region. In other words, one WAN port on each edge device establishes an IPsec tunnel only with one WAN port on hub devices.

In DialUP VPN mode, ADVPN is supported to create shortcut tunnels between edge devices.

On hub devices, select one of the following options:

  • NONE - ADVPN is disabled. Edge devices from the same region will communicate with each other by forwarding packets through their region's hub.
  • INSIDE_REGION - Shortcut tunnels are triggered by traffic and established only inside a region.

On edge devices, toggle ADVPN on to enable ADVPN. Toggle off to disable ADVPN.

When a region contains both a primary hub and secondary hub, edge devices establish overlay links with both hubs in the region. Overlay links between edge devices and the primary hub have higher priority than overlay links between edge devices and secondary hubs.

When overlay links between edge devices and the primary hub are down, links between the edge device and the secondary hub are used to forward traffic.

When incoming traffic destined to an edge device subnet of the local region is received by one hub, but links between the hub and edge devices are down, the hub uses the overlay links to forward traffic to another hub.

If LAN port communication is configured between primary and secondary hubs in a region, traffic is forwarded by using the LAN port communication.

Edge device communication between regions

When site-to-site VPN mode is enabled, edge devices in one region can communicate with devices in another region by using the following method:

  1. Edge devices send packets to their region's hub.
  2. The hub forwards the packet to the hub of the destination region.
  3. The hub from the destination region forwards the packet to the final destination.